SD-WAN

I have a service called "GoogleDNS-Quad8"  that point to 8.8.8.8 with a service route that points to my fitlet WAN interface.  I initiated a persistent ping to the IP and it's getting replies just fine.  Then, I go to the service and switch the "Enabled" switch to 'false.'  The ping continues to go thru. 

In the disabled state, I add tcp and nothing else to the Service Transport.  Nothing happened.  Then, I turned it on and the pings stopped.  Then I turned it off.  The pings resumed with the service disabled.

I messed around some more and it seems that the service will make a decision on packet flows while it's enabled and will continue to forward traffic whether or not the service is disabled, unless the parameters change while it's enabled.

Is this the expected behavior?  If so, what is the intention of the switch?

At the posting of this image, the pings continue.


------------------------------
Peter Chiou
------------------------------

In general, once a session is established modifying the underlying attributes of the service used to establish it won't matter. This is most evident when changing an access-policy, for example: if instead of disabling your service you denied your client from sending pings, they'd still continue.

This is because the disposition of a packet is typically only considered for the first packet of a new session; in the 128T's "service area, " (analogous to a slow path on legacy equipment) we make a forwarding decision for all packets of that session and install a forwarding rule in our session table. This forwarding rule contains all of the logic necessary for handling ensuing packets in that session (NAT translations, encryption, DSCP decoration, etc.). Changing a service does not affect how the existing sessions are treated.

However, if there is some disruption that causes another packet to be sent up to the service area for disposition, your changes WILL be accounted for. By disruption, I mean a path failure, link failure, etc. When a disruption to the network occurs, sessions that reference that path are marked "dirty" and the next packet arriving on that session is sent up to get revised treatment.

I hope this helps!

------------------------------
pt.
------------------------------

Original Message:
Sent: 01-03-2020 01:01
From: Peter Chiou
Subject: Service "Enabled" switch

I have a service called "GoogleDNS-Quad8"  that point to 8.8.8.8 with a service route that points to my fitlet WAN interface.  I initiated a persistent ping to the IP and it's getting replies just fine.  Then, I go to the service and switch the "Enabled" switch to 'false.'  The ping continues to go thru.

In the disabled state, I add tcp and nothing else to the Service Transport.  Nothing happened.  Then, I turned it on and the pings stopped.  Then I turned it off.  The pings resumed with the service disabled.

I messed around some more and it seems that the service will make a decision on packet flows while it's enabled and will continue to forward traffic whether or not the service is disabled, unless the parameters change while it's enabled.

Is this the expected behavior?  If so, what is the intention of the switch?

At the posting of this image, the pings continue.

------------------------------
Peter Chiou
------------------------------

Original Message------

In general, once a session is established modifying the underlying attributes of the service used to establish it won't matter. This is most evident when changing an access-policy, for example: if instead of disabling your service you denied your client from sending pings, they'd still continue.

This is because the disposition of a packet is typically only considered for the first packet of a new session; in the 128T's "service area, " (analogous to a slow path on legacy equipment) we make a forwarding decision for all packets of that session and install a forwarding rule in our session table. This forwarding rule contains all of the logic necessary for handling ensuing packets in that session (NAT translations, encryption, DSCP decoration, etc.). Changing a service does not affect how the existing sessions are treated.

However, if there is some disruption that causes another packet to be sent up to the service area for disposition, your changes WILL be accounted for. By disruption, I mean a path failure, link failure, etc. When a disruption to the network occurs, sessions that reference that path are marked "dirty" and the next packet arriving on that session is sent up to get revised treatment.

I hope this helps!

------------------------------
pt.
------------------------------